diff options
author | Joe Slater <joe.slater@windriver.com> | 2022-11-18 09:35:26 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-11-22 12:26:45 +0000 |
commit | 2f92cccb74bdb1dff46195c0a7ddf5cd67934395 (patch) | |
tree | 4de7643cc622c837ab119b8c067489f216365f0b | |
parent | 1be02b42d939d77fae460667088277660a77188a (diff) | |
download | poky-2f92cccb74bdb1dff46195c0a7ddf5cd67934395.tar.gz |
python3: Fix CVE-2022-37460
Apply patch created after the release of 3.11.0.
(From OE-Core rev: 1a8836ed324f3f9abb2eabe357ffe2e05124857e)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/python/python3/cve-2022-37460.patch | 95 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3_3.11.0.bb | 1 |
2 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/cve-2022-37460.patch b/meta/recipes-devtools/python/python3/cve-2022-37460.patch new file mode 100644 index 0000000000..12177684fd --- /dev/null +++ b/meta/recipes-devtools/python/python3/cve-2022-37460.patch | |||
@@ -0,0 +1,95 @@ | |||
1 | From 94582bb643f98bc58b1ff206d1d2a56f97c3a7e5 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Miss Islington (bot)" | ||
3 | <31488909+miss-islington@users.noreply.github.com> | ||
4 | Date: Wed, 28 Sep 2022 16:46:11 -0700 | ||
5 | Subject: [PATCH] gh-97612: Fix shell injection in get-remote-certificate.py | ||
6 | (GH-97613) | ||
7 | |||
8 | Fix a shell code injection vulnerability in the | ||
9 | get-remote-certificate.py example script. The script no longer uses a | ||
10 | shell to run "openssl" commands. Issue reported and initial fix by | ||
11 | Caleb Shortt. | ||
12 | |||
13 | Remove the Windows code path to send "quit" on stdin to the "openssl | ||
14 | s_client" command: use DEVNULL on all platforms instead. | ||
15 | |||
16 | Co-authored-by: Caleb Shortt <caleb@rgauge.com> | ||
17 | (cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341) | ||
18 | |||
19 | Co-authored-by: Victor Stinner <vstinner@python.org> | ||
20 | --- | ||
21 | CVE: CVE-2022-37460 | ||
22 | |||
23 | Upstream-Status: Backport [https://github.com/python/cpython.git] | ||
24 | [commit 94582bb643... unmodified] | ||
25 | |||
26 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
27 | |||
28 | --- | ||
29 | ...2-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst | 3 +++ | ||
30 | Tools/scripts/get-remote-certificate.py | 25 ++++++------------- | ||
31 | 2 files changed, 10 insertions(+), 18 deletions(-) | ||
32 | create mode 100644 Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst | ||
33 | |||
34 | diff --git a/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst | ||
35 | new file mode 100644 | ||
36 | index 0000000000..2f113492d4 | ||
37 | --- /dev/null | ||
38 | +++ b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst | ||
39 | @@ -0,0 +1,3 @@ | ||
40 | +Fix a shell code injection vulnerability in the ``get-remote-certificate.py`` | ||
41 | +example script. The script no longer uses a shell to run ``openssl`` commands. | ||
42 | +Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner. | ||
43 | diff --git a/Tools/scripts/get-remote-certificate.py b/Tools/scripts/get-remote-certificate.py | ||
44 | index 38901286e1..68272fca83 100755 | ||
45 | --- a/Tools/scripts/get-remote-certificate.py | ||
46 | +++ b/Tools/scripts/get-remote-certificate.py | ||
47 | @@ -15,8 +15,8 @@ | ||
48 | def fetch_server_certificate (host, port): | ||
49 | |||
50 | def subproc(cmd): | ||
51 | - from subprocess import Popen, PIPE, STDOUT | ||
52 | - proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True) | ||
53 | + from subprocess import Popen, PIPE, STDOUT, DEVNULL | ||
54 | + proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, stdin=DEVNULL) | ||
55 | status = proc.wait() | ||
56 | output = proc.stdout.read() | ||
57 | return status, output | ||
58 | @@ -33,8 +33,8 @@ def strip_to_x509_cert(certfile_contents, outfile=None): | ||
59 | fp.write(m.group(1) + b"\n") | ||
60 | try: | ||
61 | tn2 = (outfile or tempfile.mktemp()) | ||
62 | - status, output = subproc(r'openssl x509 -in "%s" -out "%s"' % | ||
63 | - (tn, tn2)) | ||
64 | + cmd = ['openssl', 'x509', '-in', tn, '-out', tn2] | ||
65 | + status, output = subproc(cmd) | ||
66 | if status != 0: | ||
67 | raise RuntimeError('OpenSSL x509 failed with status %s and ' | ||
68 | 'output: %r' % (status, output)) | ||
69 | @@ -45,20 +45,9 @@ def strip_to_x509_cert(certfile_contents, outfile=None): | ||
70 | finally: | ||
71 | os.unlink(tn) | ||
72 | |||
73 | - if sys.platform.startswith("win"): | ||
74 | - tfile = tempfile.mktemp() | ||
75 | - with open(tfile, "w") as fp: | ||
76 | - fp.write("quit\n") | ||
77 | - try: | ||
78 | - status, output = subproc( | ||
79 | - 'openssl s_client -connect "%s:%s" -showcerts < "%s"' % | ||
80 | - (host, port, tfile)) | ||
81 | - finally: | ||
82 | - os.unlink(tfile) | ||
83 | - else: | ||
84 | - status, output = subproc( | ||
85 | - 'openssl s_client -connect "%s:%s" -showcerts < /dev/null' % | ||
86 | - (host, port)) | ||
87 | + cmd = ['openssl', 's_client', '-connect', '%s:%s' % (host, port), '-showcerts'] | ||
88 | + status, output = subproc(cmd) | ||
89 | + | ||
90 | if status != 0: | ||
91 | raise RuntimeError('OpenSSL connect failed with status %s and ' | ||
92 | 'output: %r' % (status, output)) | ||
93 | -- | ||
94 | 2.38.1 | ||
95 | |||
diff --git a/meta/recipes-devtools/python/python3_3.11.0.bb b/meta/recipes-devtools/python/python3_3.11.0.bb index 92a1f69320..93628c76ff 100644 --- a/meta/recipes-devtools/python/python3_3.11.0.bb +++ b/meta/recipes-devtools/python/python3_3.11.0.bb | |||
@@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | |||
34 | file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ | 34 | file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ |
35 | file://deterministic_imports.patch \ | 35 | file://deterministic_imports.patch \ |
36 | file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ | 36 | file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ |
37 | file://cve-2022-37460.patch \ | ||
37 | " | 38 | " |
38 | 39 | ||
39 | SRC_URI:append:class-native = " \ | 40 | SRC_URI:append:class-native = " \ |